How to Respond to Data Subject Access Requests (DSARs) Under GDPR
In today’s data-driven world, individuals are more aware than ever of their rights regarding personal information. The General Data Protection Regulation (GDPR) grants European Union (EU) citizens and residents a number of rights over their personal data, one of which is the right to access. A Data Subject Access Request (DSAR) is a formal request made by an individual to obtain copies of their personal data that an organisation holds. Given the legal obligations surrounding such requests, businesses must handle them efficiently, transparently, and in full compliance with GDPR.
Handling these requests is not just a regulatory requirement but also a test of an organisation’s commitment to privacy, trust, and customer satisfaction. Failing to comply can result in heavy fines and reputational damage. Companies must therefore establish a clear process for identifying, handling, and responding to such requests appropriately.
Recognising a DSAR
DSARs do not have to follow a specific format. An individual can submit a request verbally, in writing, via email, through a website form, or even on social media. While organisations may encourage a structured approach by providing a preferred method for submissions, they cannot reject requests simply because they are made informally.
Additionally, the requester is not required to reference GDPR or specify that they are making a DSAR. It is the organisation’s responsibility to recognise and correctly process such requests. Employees, particularly those in customer service and front-line roles, should be trained to identify potential DSARs and ensure they are directed to the appropriate department.
Confirming the Requester’s Identity
Before fulfilling a request, businesses must verify the identity of the individual making the request. This ensures that personal data is not disclosed to the wrong person, preventing potential breaches. Organisations must strike a balance between security and accessibility, ensuring the process is not excessively difficult or burdensome for the requester.
Acceptable identity verification procedures may depend on the sensitivity of the requested data. Low-risk requests may only require confirmation through existing account credentials, whereas highly sensitive data could warrant additional verification, such as government-issued identification. If an organisation reasonably requires further proof of identity, this should be communicated promptly to the requester, along with the rationale behind the request.
It is important to remember that the one-month response timeframe begins only after identity verification has been completed. However, businesses should process these requests as efficiently as possible to avoid unnecessary delays.
Gathering and Reviewing the Requested Data
Once a request has been authenticated, the organisation must identify all relevant personal data collected about the individual. This can involve retrieving data from multiple systems, including databases, emails, physical files, cloud storage, and third-party service providers. Having well-organised data management systems significantly reduces the risk of missing information and ensures compliance.
Before disclosing any data, businesses must conduct a thorough review to ensure that information is provided accurately, securely, and in compliance with other legal obligations. Particular attention must be given to:
– Third-party data: If the requested data contains information about other individuals, redacting or removing third-party details is often necessary unless the third party has expressly consented to disclosure. Organisations must balance the requester’s data access rights with the privacy of others.
– Legally exempt data: Certain types of data can be exempted from disclosure. These include legal advice that is covered by legal professional privilege, confidential law enforcement details, or information that could prejudice an ongoing investigation. Each exemption must be carefully assessed, as excessive redactions or refusals to provide information without valid justification may lead to compliance issues.
– Excessive or unfounded requests: If a request is manifestly unfounded or excessive, particularly if it is repetitive, an organisation may refuse to act on it or charge a reasonable fee for administrative costs. However, such determinations must be well-documented, and the requester should be provided with a clear explanation.
Providing the Data in an Appropriate Format
Under GDPR, data must be provided in a commonly used and accessible format. While printed copies may be requested, the preferable approach is digital documentation, ensuring information is secure, structured, and easy to interpret. Many organisations choose machine-readable formats such as CSV, PDF, or JSON, particularly when responding to requests concerning data portability.
Additionally, companies must ensure that the transmission of data is secure. Protecting information from unauthorised access is critical, as incidents involving accidental disclosure can lead to data breaches, regulatory scrutiny, and reputational damage. Secure email transmission with encryption, password-protected files, or secure file-sharing methods are advisable, depending on the nature of the information provided.
Businesses must also accompany responses with a clear explanation of the data included. This should outline where the data originated, how it has been processed, and whether it has been shared with third parties. Transparency in this stage promotes trust and ensures the individual fully understands how their data has been handled.
Meeting Response Timeframes
Organisations are required to respond to DSARs within one month. However, if a request is complex or involves a large volume of data, businesses may extend this period by an additional two months under GDPR rules. If an extension is necessary, the requester must be informed within the initial one-month window, along with the reason for the delay.
Businesses operating across multiple jurisdictions or handling vast amounts of personal data should implement automated DSAR management systems to streamline processing and avoid breaching deadlines. Regular audits of response times and internal workflows can identify potential efficiency improvements.
Communicating with the Requester
Effective communication throughout the DSAR process fosters transparency and ensures a positive requester experience. If an organisation encounters delays, difficulties retrieving data, or valid reasons to withhold certain information, these must be communicated professionally, clearly, and in compliance with GDPR.
In cases where a request is denied, a written explanation must be provided, detailing the reasoning behind the refusal and informing the requester of their right to file a complaint with the data protection authority. Open, courteous communication reduces the likelihood of escalation and demonstrates a strong commitment to data privacy rights.
Keeping Records of DSARs
Maintaining an internal record of DSARs is essential to demonstrate compliance. Companies should log details such as the date the request was received, how it was processed, the information provided, and any steps taken to fulfil the request. While organisations should not retain the personal data retrieved solely for the purpose of processing a DSAR beyond the required response period, a record of the request itself and its resolution can be kept to show compliance with GDPR in case of future audits or complaints.
Lessons from Enforcement Actions
GDPR enforcement actions highlight the risks of non-compliance with data access rights. Several large companies have faced sanctions for failing to provide copies of requested personal data in a timely manner or for denying requests without appropriate justification. Regulators expect clear processes and accountability, which means businesses of all sizes must take DSAR handling seriously.
Failure to meet GDPR requirements can result in severe financial and reputational consequences. The maximum penalties for non-compliance can reach €20 million or 4% of an organisation’s global turnover, whichever is higher. Beyond fines, failing to properly respond to DSARs can severely damage customer trust, leading to lost business and long-term reputational harm.
Preparing Internally to Handle DSARs Effectively
To ensure seamless DSAR handling, organisations should:
– Implement company-wide policies and procedures for processing requests.
– Train employees, particularly those in customer-facing and data protection roles, to identify and escalate DSARs properly.
– Establish a secure, centralised system to retrieve and manage data efficiently.
– Periodically review and audit DSAR handling procedures to identify areas for improvement.
Taking a proactive approach to DSAR compliance not only reduces the risk of regulatory action but also strengthens an organisation’s overall data protection capabilities. Consumers and regulators alike expect businesses to handle personal data responsibly, and meeting these expectations can offer competitive advantages in an increasingly privacy-conscious market.
GDPR has placed individual data rights at the forefront of privacy regulations. Handling DSARs correctly is an essential part of a business’s broader compliance obligations. By streamlining procedures, training staff, securing data, and prioritising transparency, organisations can successfully meet GDPR requirements while reinforcing trust with their customers.